Liquidia Corp 10-K Cybersecurity GRC - 2025-03-19

Page last updated on March 19, 2025

Liquidia Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2025-03-19 06:45:31 EDT.

Filings

10-K filed on 2025-03-19

Liquidia Corp filed a 10-K at 2025-03-19 06:45:31 EDT
Accession Number: 0001558370-25-003237

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity. Risk Management and Strategy Integrated Risk Management Our cybersecurity risk management program is an important component of, and is integrated into, our overall risk management process. Our Board, acting primarily through the Audit Committee, actively oversees the strategic direction, objectives and effectiveness of our risk management practices, including cybersecurity risk management, while management is responsible for the day-to-day management of the Company’s risk exposure, subject to the direction and objectives established by our Board. As an important component of our risk management process, management reviews risks from cybersecurity threats and our programs for evaluating, mitigating and educating its employees regarding cybersecurity risks. The program includes a comprehensive set of security policies and procedures, including regular network and endpoint monitoring, managed detection and response, system patching, managed security services, server and endpoint scheduled backups, awareness training and testing, periodic vulnerability assessments and penetration testing, to update our ongoing cybersecurity risk identification and mitigation efforts. We have also implemented a well-established incident response plan to address cybersecurity threats and incidents related to operational risk, intellectual property theft, reputational risks, fraud and extortion, harm to the personal identifying data of employees or customers, violations of laws, and other risks, including procedures for (i) detection and analysis, (ii) containment and eradication, (iii) remediation and (iv) preparation for future incidents. These processes are aligned with standard industry frameworks, such as the National Institute of Standards and Technology, Committee of Sponsoring Organizations and International Organization for Standardization 27001, and other industry standards. Engagement of Third-party Support To further improve the effectiveness of our cybersecurity risk management program, we engage third-party service providers to conduct evaluations of our security controls, whether through penetration testing, independent audits or consulting on best practices to address new challenges. These evaluations include testing both the design and operational effectiveness of cybersecurity controls. Third-party Risk Management We also implement third-party risk assessments to identify, assess and monitor material risks from cybersecurity threats associated with the use of any third-party vendor who interacts with our technology infrastructure or our confidential, proprietary, or personal information, or is otherwise part of our supply chain. These assessments include identifying and evaluating cybersecurity risks as part of the due diligence conducted prior to the selection of third-party service providers, recurring risk assessments to ensure such third-party vendors have acceptable levels of cybersecurity controls in place and ongoing monitoring to address material cybersecurity risks that may arise from such third-party relationships. Impact of Risks from Cybersecurity Threats We do not believe that any of the risks from cybersecurity threats we have faced to date have materially affected , or currently viewed as reasonably likely to materially affect, the Company, our business strategy, results of operations or financial condition. However, the scope and impact of any future cybersecurity threats cannot be predicted and there can be no assurance that our cybersecurity risk management program will be effective in preventing material cybersecurity threats in the future. For a description of the risks from cybersecurity threats that may materially affect us, including our results of operations and financial condition, see Item 1A. Risk Factors - We are subject to information technology systems failures, security breaches, loss or leakage of data, technological malfunctions or other disruptions, which could result in, among other things, material disruption of our product development programs, financial losses, the inability to process transactions, the unauthorized release of confidential information and reputational risk, restrictions on accessing critical information and potential exposure to liability, all of which would negatively impact our business, financial condition or results of operations. Governance Board Oversight of Cybersecurity Threats The Board has oversight responsibility for the Company’s overall risk management framework. The Board, acting primarily through the Audit Committee , is also responsible for oversight of our risk management practices, including as to cybersecurity, while management is responsible for the day-to-day risk management processes. Through our CEO and other members of management, the Board receives periodic reports regarding the risks facing the Company, including as to cybersecurity risks. In addition, the Audit Committee assists the Board in its oversight role by receiving regular reports from management regarding risks associated with technology, information systems and controls and security, including risks related to data security, cybersecurity and data privacy and the effectiveness of the Company’s security controls, systems and policies . Role of Management Our management and information technology teams, collectively, have decades of experience in the areas of information technology, finance, legal, human resources, data privacy and risk management. Our internal information technology organization, overseen by our Controller , is responsible for our overall information security strategy, policy, security engineering, operations and cyber threat detection and response . The day-to-day activities of our information technology organization are managed by our current head of information technology, who has more than 30 years of experience in information technology systems and cybersecurity, including experience in safeguarding and monitoring networks and systems, responding to incidents, and reducing the risk of business exposure, and holds multiple industry-recognized certifications. The information technology organization also engages legal and cybersecurity professionals with appropriate subject matter expertise in support of its cybersecurity efforts. The information technology organization manages and continually enhances our enterprise security structure with the goal of preventing cybersecurity incidents to the extent feasible, while simultaneously increasing our system resilience to minimize the business impact should an incident occur. Incident responses under our cybersecurity incident response plan are led by our incident response team, consisting of our Chief Executive Officer (the “CEO”), Chief Financial Officer (the “CFO”), General Counsel, head of information technology and head of human resources, and supported by Legal, Compliance and other functions as appropriate. The incident response team, in connection with outside legal and cybersecurity advisors, is responsible for investigating suspected cybersecurity incidents, taking appropriate steps to contain, mitigate or resolve a cybersecurity incident and reporting findings to management. In the event of a cybersecurity incident, our General Counsel is responsible for convening a materiality incident response team to assess the materiality of cybersecurity incidents meeting certain escalation criteria. Through ongoing communications with the incident response team, management is informed about and monitors the prevention, detection, mitigation and remediation of cybersecurity incidents and progress on cybersecurity initiatives. Management provides regular updates to the Audit Committee and the Board concerning the Company’s technology and cybersecurity programs, associated risks and our efforts to help mitigate those risks.

Company Information